A recent revelation indicates that around 25 individuals have collectively lost cryptocurrency valued at $4.4 million due to a data breach in 2022 that targeted the password storage software, LastPass. On October 27, an anonymous on-chain researcher named ZachXBT, along with Taylor Monahan, a developer at MetaMask, published their findings regarding the movement of stolen funds from approximately 80 compromised wallets.
The victims of this breach primarily included long-time users of LastPass, many of whom were confirmed to have stored their cryptocurrency wallet keys and seeds within the compromised software. This revelation came alongside the release of a Chainabuse report, which detailed the extent of the breach and its implications for the affected users.
In December 2022, LastPass publicly disclosed that the attackers exploited information obtained from a previous breach in August. The attackers used this data to target LastPass employees, ultimately gaining access to their credentials and managing to decrypt stored customer information. Encrypted backups of customer vault data were also stolen, raising concerns that attackers could potentially decrypt them through brute force methods by guessing the account's master password.
It was reported by cybersecurity journalist Brian Krebs in September that certain LastPass customer vaults had been breached, leading to the theft of more than $35 million worth of cryptocurrency from approximately 150 victims. In response to this ongoing situation, ZachXBT has strongly advised all individuals who have ever stored wallet seeds or private keys within LastPass to swiftly transfer their crypto assets to a more secure location to mitigate further risks.
The breach has underscored the critical importance of safeguarding cryptocurrency assets and private keys, as well as being cautious when using password management tools to protect sensitive information.
